HP and Cisco – VLANs and Trunks Confusion!

KB ID 0000741

Problem

When I first started in IT, I went and did my Cisco CCNA. So I learned that to connect Cisco switches and pass VLAN traffic between them, I needed to create a ‘Trunk’ to pass the VLAN traffic. Fast forward a few years, and I now work for an HP reseller. Very early on I came to realise that what HP called a ‘trunk’ was very different from what I had been taught. Below is an article I did a while ago about setting up HP Trunks.

HP Networking ‘ProCurve’ – Trunking / Aggregating Ports

I was in some HP/Wireless training last week and once again I was struggling with their terminology, so today I lined up a bunch of switches on the test bench and worked out the differences.

Below you will find the following scenarios;

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

Scenario 2 Configuring HP Switches with VLANs.

Scenario 3 Setting up HP Switches with Trunked VLANs

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Setting up VLANs on older Cisco Switches

Solution

Scenario 1 Configuring Cisco Catalyst Switches with VLANs.

In ‘Ciscoland’ All ports are either in access mode or trunk mode, the access mode allows the port to communicate with the VLAN. The trunk mode carries the VLAN traffic to another switch (or device). So to replicate the diagram above, this is what you would need to do. (Note: For older switches like the 3550XL the VLAN commands are a little different see here)

[box]

Switch01>
 Switch01>enable
 Password: xxxxxxxx
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#vlan 10
 Switch01(config-vlan)#name Admin
 Switch01(config-vlan)#exit
 Switch01(config)#vlan 20
 Switch01(config-vlan)#name Data
 Switch01(config-vlan)#exit
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#inf f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 [OK]
 Switch01#
 
 
 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)#inf f0/15
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 20
 Switch02(config-if)#exit
 Switch02(config)#int f0/1
 Switch02(config-if)#switchport mode trunk
 Switch02(config-if)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#[/box]

Scenario 2 Configuring HP Switches with VLANs.

With HP switches the terminology is different, here switch ports are either tagged members or untagged members of a VLAN.

What’s the difference between tagged and untagged? If a port is a tagged member it passes the VLAN information with the traffic it sends. If it is untagged it sends the VLAN traffic without adding in the VLAN tag. So you would only make a port a tagged member if the device that is plugged into it is VLAN aware, i.e. another switch, router, or machine with a VLAN aware NIC. (Note: The VLAN tag is the ID that gets inserted into the head of a network packet). So to do exactly the same as we did in scenario 1, but with HP switches, you would do the following:

BE AWARE: Any single port can only be untagged on one VLAN. Out of the box all ports are untagged on VLAN 1 (or the default VLAN), so if you untag a port into VLAN 20 (for example) it will automatically remove the ‘vlan 1 untagged’ property for that port.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged 13
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged 13
 Switch01(vlan-20)# exit
 Switch01(config)# write mem
 Switch01(config)#
 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch02(config)# vlan 10
 Switch02(vlan-10)# tagged 23
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# tagged 23
 Switch02(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#[/box]

Scenario 3 Setting up HP Switches with Trunked VLANs

Remember with HP a Trunk is adding together lots of links, (if you’re a Cisco head think of port-channeling). So here we create a trunk, then use that trunk to pass tagged VLAN traffic across the switches.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02> enable
 Password:xxxxx
 Switch02# configure terminal
 Switch02(config)# vlan 10 name Admin
 Switch02(config)# vlan 20 name Data
 Switch02(config)# vlan 10
 Switch02(vlan-10)# untagged 4
 Switch02(vlan-10)# exit
 Switch02(config)# vlan 20
 Switch02(vlan-20)# untagged 20
 Switch02(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch02(config)# write mem
 Switch02(config)#

[/box]

Scenario 4 Setup VLANs via HP Trunks and Cisco Port Channels

Now we have gone full circle, we know what all the differences are, the final part is to get them to talk to each other. So I’ll set up a two cable HP Trunk, and connect it to Cisco LACP port channel, and then finally add in the VLAN traffic.

[box]

Switch01> enable
 Password:xxxxx
 Switch01# configure terminal
 Switch01(config)# vlan 10 name Admin
 Switch01(config)# vlan 20 name Data
 Switch01(config)# vlan 10
 Switch01(vlan-10)# untagged 6
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# untagged 16
 Switch01(vlan-20)# exit
 Switch01(config)# trunk 21,23 Trk1 LACP
 Switch01(config)# vlan 10
 Switch01(vlan-10)# tagged Trk1
 Switch01(vlan-10)# exit
 Switch01(config)# vlan 20
 Switch01(vlan-20)# tagged Trk1
 Switch01(vlan-20)# exit
 Switch01(config)# write mem 
 Switch01(config)# 

 
 Switch02>
 Switch02>enable
 Password: xxxxxxx
 Switch02#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch02(config)#vlan 10
 Switch02(config-vlan)#name Admin
 Switch02(config-vlan)#exit
 Switch02(config)#vlan 20
 Switch02(config-vlan)#name Data
 Switch02(config-vlan)#exit
 Switch02(config)#int f0/2
 Switch02(config-if)#switchport mode access
 Switch02(config-if)#switchport access vlan 10
 Switch02(config-if)#exit
 Switch02(config)# interface range fa0/23 - 24
 Switch02(config-if-range)# spanning-tree portfast trunk
 %Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION

Switch02(config-if-range)# channel-protocol lacp
 Switch02(config-if-range)# channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
 Switch02(config-if-range)# interface port-channel 1
 Switch02(config-if)# switchport mode trunk
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch02(config-if)#exit
 Switch02(config)#exit
 Switch02#write mem
 Building configuration...
 [OK]
 Switch02#

[/box]

Setting up VLANs on older Cisco Switches

Here’s an example using the older vlan database commands.

[box]

Switch01>
 Switch01>enable
 Password: 
 Switch01#
 Switch01#vlan database
 Switch01(vlan)#vlan 10 name Admin
 VLAN 10 modified:
 Name: Admin
 Switch01(vlan)#vlan 20 name Data
 VLAN 20 modified:
 Name: Data
 Switch01(vlan)#exit
 APPLY completed.
 Exiting....
 Switch01#configure terminal
 Enter configuration commands, one per line. End with CNTL/Z.
 Switch01(config)#int f0/2
 Switch01(config-if)#switchport mode access 
 Switch01(config-if)#switchport access vlan 10
 Switch01(config-if)#exit
 Switch01(config)#int f0/16
 Switch01(config-if)#switchport mode access
 Switch01(config-if)#switchport access vlan 20
 Switch01(config-if)#exit
 Switch01(config)#int f0/23
 Switch01(config-if)#switchport mode trunk
 Switch01(config-if)#switchport trunk encapsulation dot1q 
 Switch02(config-if-range)#switchport trunk allowed vlan 1,10,20
 Switch01(config-if)#exit
 Switch01(config)#exit
 Switch01#write mem
 Building configuration...
 
 Switch01#[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Valentin Bajramifor the feedback

 

Cisco Router – Configure NAT (NAT Overload)

KB ID 0000971 

Problem

NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.

Solution

1. Connect to the router, and got to enable mode, then global configuration mode.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#

[/box]

2. Setup the WAN (outside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/0
PetesRouter(config-if)#ip address 123.123.123.123 255.255.255.0
PetesRouter(config-if)#ip nat outside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

3. Setup the LAN (inside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/1
PetesRouter(config-if)#ip address 192.168.1.1 255.255.255.0
PetesRouter(config-if)#ip nat inside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

4. You will need a ‘default route’ which will be the routers ‘next hop’ towards the internet.

[box]

PetesRouter(config)#ip route 0.0.0.0 0.0.0.0 123.123.123.2

[/box]

5. Create an ACL that wil match any trafic coming from inside (remember permit means match).

[box]

PetesRouter(config)#access-list 100 remark NAT-ACL
PetesRouter(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

[/box]

6. Then tie it all together with the following command;

[box]

PetesRouter(config)#ip nat inside source list 100 interface GigabitEthernet 0/0 overload

[/box]

7. Save the changes.

[box]

PetesRouter(config)#exit
PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Essentials / Premium Licenses. Explained

KB ID 0000628 

Problem

Note: With Anyconnect 4 Cisco now use Plus and Apex AnyConnect licensing.

When Cisco released the 8.2 version of the ASA code, they changed their licensing model for AnyConnect Licenses. There are two licensing models, Premium and Essentials.

Solution

Cisco ASA AnyConnect Premium Licenses.

You get two of these free with your firewall*, with a ‘Premium License’ you can use the AnyConnect client software for remote VPN Access, and you can access Clientless SSL facilities via the web portal.

*As pointed out by @nhomsany “The two default premium licenses available are NOT cross-platform, (i.e. only Mac or Windows).

Additionally you can use this license’ model with the Advanced Endpoint Assessment License’, this is the license’ you require for Cisco Secure Desktop. You can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, (both these licenses are an additional purchase).

For most people wishing to buy extra AnyConnect licensing, this will be the one you want. Their type and size differ depending on the ASA platform in question, e.g. the 5505 premium licenses. are available as 10 session and 25 session licenses. the 5510 are in 10, 25, 50, 100 and 250 Sessions. (Note: These are correct for version 8.4 and are subject to change, check with your re seller).

Failover: If you are using failover firewalls you can (but don’t have to) use a shared license’ model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license’ server’. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used.

Cisco ASA AnyConnect Essential Licenses

When you enable ‘Essential Licensing’, your firewall changes it’s licensing model and the two Premium licenses. you get with it are disabled*. The Firewall will then ONLY accept AnyConnect connections from the AnyConnect VPN client software.

Note: The portal still exists, but can only be used to download the AnyConnect Client Software.

With Essentials licensing enabled, the firewall will then accept the maximum VPN sessions it can support for that hardware version (see here), without the need to keep adding licenses.

Note: Remember these are “Peer VPN Sessions”. If you have a bunch of other VPN’s (including IPSEC ones), then these are taken from the ‘pot’.

Additionally, you can also use this license’ with the AnyConnect Mobile license’ for access from mobile devices like phones or tablets, this license’ is an additional purchase.

Failover: Prior to version 8.3, if you have failover firewalls and are using Essentials licenses you need to purchase an Essentials license’ for BOTH firewalls. After version 8.3 Cisco allowed the licenses. to be replicated between firewalls in a failover pair.

Cisco ASA Maximum VPN Peers / Sessions

5505 = 25
5510 = 250
5520 = 750
5540 = 5,000
5550 = 5,000
5580 = 10,000

Next Generation Platform (X)

5512-X = 250
5515-X = 250
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000

*To re-enable the built in Premium Licenses. you need to disable Essentials licensing by using the ‘no anyconnect-essentials” command or in the ASDM> Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Essentials.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Cisco AnyConnect Mobility License’

Cisco ASA 5500 – Adding Licenses